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DETAILED ACTION 

1 . Claims 1 -36 have been examined. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 10/31/08 has been entered. 

Claim Objections 

3. Claim 18 is objected to because of the following informalities: Claim 18 discloses a 
nonvolatile or volatile computer-readable medium, which includes carrier wave as disclosed in 
the specification (Specification: [0059]). Applicant is advised to amend the claim to " a 
computer-readable storage medium". Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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5. Claims 1-36 are rejected under 35 U.S.C. 103(a) as being unpatentable over Talpade et al. 
U.S. Pub. No. 20040148520 (hereinafter Talpade) in view of Fan et al. U.S. Pat. No. 6219706 
(hereinafter Fan). 

6. As per claim 1, Talpade discloses a method of preventing an attack on a network, the 
method comprising the computer-implemented steps of: 

receiving an ICMP packet, wherein the ICMP packet carries a portion of a header 
associated with a connection in a connection-oriented transport protocol (Talpade: [0020] lines 
4-5 and lines 13-15: analyze packet header for packet filtering for ICMP packet based on range 
of valid values of various packet header fields); 

and responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpade: [0017] lines 
27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header carries a packet 
sequence value associated with the connection; obtaining a packet sequence value from the 
header; determining if the packet sequence value is valid; and responding to the ICMP packet by 
updating a parameter value associated with the transport protocol connection only if the packet 
sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DoS packets). It would have been obvious to 
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one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

7. As per claim 2, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the ICMP carries a portion of a TCP header associated with a 
TCP connection (Fan: column 10 lines 27-51). Same rationale applies here as above in rejecting 
claim 1 . 

8. As per claim 3, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

9. As per claim 4, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 
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10. As per claim 5, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of packet sequence values that are allowed by the transport protocol for the connection 
(Fan: column 10 lines 27-51). 

11. As per claim 6, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of sent but unacknowledged TCP packet sequence values for the connection (Fan: column 
10 lines 27-51). 

12. As per claim 7, Talpade as modified discloses the method of claim 1. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is exactly 
equal to one or more sequence values of one or more packets that are then-currently stored in a 
TCP re-transmission buffer, starting at a sequence value of a previously sent segment that 
resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 

13. As per claim 8, Talpade as modified discloses the method of claim 1. Talpade as 
modified further discloses wherein the steps are performed in a router acting as a TCP endpoint 
node (Talpade: [0020]: sensor/firewall). 



Application/Control Number: 10/820,980 
Art Unit: 2431 



Page 6 



14. As per claim 9, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the steps are performed in a firewall device (Talpade: [0020]: 
packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 

15. As per claim 10, Talpade discloses a method of preventing an attack on a network, the 
method comprising the computer-implemented steps of: 

receiving, at a TCP endpoint node in a TCP/IP packet-switched network (Talpad: [0020] 
line 1-5: monitor all traffic entering customer network that includes TCP/IP protocol), an ICMP 
packet, wherein the ICMP packet carries a portion of a header associated with a connection in a 
connection-oriented transport protocol (Talpade: [0020] lines 4-5 and lines 13-15: analyze packet 
header for packet filtering for ICMP packet based on range of valid values of various packet 
header fields); 

and responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpad: [0017] lines 
27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header includes a packet 
sequence value associated with the connection; obtaining a packet sequence value from the 
header; determining if the packet sequence value is valid; and responding to the ICMP packet by 
updating a parameter value associated with the transport protocol connection only if the packet 
sequence value is determined to be valid. 
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However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

Talpade as modified does not explicitly disclose updating MTU value associated with the 
TCP connection. However, Talpade discloses forwarding traffic if the packet value is valid 
(Talpad: [0017] lines 27-30) and it would have obvious to one having ordinary skill in the art to 
take different measures to allow traffic including, but not limited to, updating MTU value to 
increase transmission rate to allow traffic. 

16. As per claim 11, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

17. As per claim 12, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
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ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 

18. As per claim 13, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of packet sequence values that are allowed by the transport protocol for the connection 
(Fan: column 10 lines 27-51). 

19. As per claim 14, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of sent but unacknowledged TCP packet sequence values for the connection (Fan: column 
10 lines 27-51). 

20. As per claim 15, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is exactly 
equal to one or more sequence values of one or more packets that are then-currently stored in a 
TCP re-transmission buffer, starting at a sequence value of a previously sent segment that 
resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 
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21. As per claim 16, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the steps are performed in a router acting as a TCP endpoint 
node (Talpade: [0020]: sensor/firewall). 

22. As per claim 17, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the steps are performed in a firewall device (Talpade: [0020]: 
packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 

23. As per claim 18, Talpade discloses a volatile or nonvolatile computer-readable medium 
carrying one or more sequences of instruction, which instructions, when executed by one or more 
processors, cause the one or more processors to perform the steps of: 

receiving an ICMP packet, wherein the ICMP packet carries a portion of a header 
associated with a connection in a connection-oriented transport protocol (Talpade: [0020] lines 
4-5 and lines 13-15: analyze packet header for packet filtering for ICMP packet based on range 
of valid values of various packet header fields); 

and responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpad: [0017] lines 
27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header includes a packet 
sequence value associated with the connection; obtaining a packet sequence value from the 
header; determining if the packet sequence value is valid; and responding to the ICMP packet by 
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updating a parameter value associated with the transport protocol connection only if the packet 
sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-51: using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

24. As per claim 19, Talpade discloses an apparatus for preventing an attack on a network, 
comprising: 

means for receiving an ICMP packet, wherein the ICMP packet carries a portion of a 
header associated with a connection in a connection-oriented transport protocol (Talpade: [0020] 
lines 4-5 and lines 13-15: analyze packet header for packet filtering for ICMP packet based on 
range of valid values of various packet header fields); 

and means for responding to the ICMP packet by updating a parameter associated with 
the transport protocol connection only if the packet filed value is determined to be valid (Talpad: 
[0017] lines 27-30: forwarding traffic/updating parameter associated with protocol connection if 
packet is not DDoS packet/the packet value is valid). 
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Talpade does not explicitly disclose wherein the portion of the header carries a packet 
sequence value associated with the connection; means for obtaining a packet sequence value 
from the header; means for determining if the packet sequence value is valid; and responding to 
the ICMP packet by updating a parameter value associated with the transport protocol 
connection only if the packet sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-51: using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

25. As per claim 20, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that includes a copy of a TCP header associated with a TCP connection (Fan: 
column 10 lines 27-51). Same rationale applies here as above in rejecting claim 1. 

26. As per claim 21, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
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ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

27. As per claim 22, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 

28. As per claim 23, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of packet sequence values that are allowed by the transport protocol for the connection 
(Fan: column 10 lines 27-51). 

29. As per claim 24, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of sent but unacknowledged TCP packet sequence values for the connection (Fan: column 
10 lines 27-51). 

30. As per claim 25, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
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the packet sequence value is valid comprises determining if the packet sequence value is exactly 
equal to one or more sequence values of one or more packets that are then-currently stored in a 
TCP re-transmission buffer, starting at a sequence value of a previously sent segment that 
resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 

31. As per claim 26, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the steps are performed in a router acting as a TCP endpoint 
node (Talpade: [0020]: sensor/firewall). 

32. As per claim 27, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the steps are performed in a firewall device (Talpade: [0020]: 
packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 

33. As per claim 28, Talpade discloses a network element, comprising: 

a network interface that is coupled to a data network for receiving one or more packet 
flows therefrom (Talpade: figure 2: filter router 230); 

a processor (Talpade: figure 2: filter router 230 contains processor); 

on or more stored sequence s of instruction which, when executed by the processor, cause 
the processor to perform the steps of: 

receiving an ICMP packet, wherein the ICMP packet carries a portion of a header 
associated with a connection in a connection-oriented transport protocol (Talpade: [0020] lines 
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4-5 and lines 13-15: analyze packet header for packet filtering for ICMP packet based on range 
of valid values of various packet header fields); 

responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpad: [0017] lines 
27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header includes a packet 
sequence value associated with the connection; means for obtaining a packet sequence value 
from the header; means for determining if the packet sequence value is valid; and responding to 
the ICMP packet by updating a parameter value associated with the transport protocol 
connection only if the packet sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 
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34. As per claim 29, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of receiving an ICMP packet comprises receiving 
an ICMP packet that includes a copy of a TCP header associated with a TCP connection (Fan: 
column 10 lines 27-51). Same rationale applies here as above in rejecting claim 1. 

35. As per claim 30, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of receiving an ICMP packet comprises receiving 
an ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

36. As per claim 31, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of receiving an ICMP packet comprises receiving 
an ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 

37. As per claim 32, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of authenticating the ICMP packet by determining 
if the packet sequence value is valid comprises determining if the packet sequence value is 
within a range of packet sequence values that are allowed by the transport protocol for the 
connection (Fan: column 10 lines 27-51). 
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38. As per claim 33, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of authenticating the ICMP packet by determining 
if the packet sequence value is valid comprises determining if the packet sequence value is 
within a range of sent but unacknowledged TCP packet sequence values for the connection (Fan: 
column 10 lines 27-51). 

39. As per claim 34, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of authenticating the ICMP packet by determining 
if the packet sequence value is valid comprises determining if the packet sequence value is 
exactly equal to one or more sequence values of one or more packets that are then-currently 
stored in a TCP re-transmission buffer, starting at a sequence value of a previously sent segment 
that resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 

40. As per claim 35, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the steps are performed in a router acting as a TCP 
endpointnode (Talpade: [0020]: sensor/firewall). 

41 . As per claim 36, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the steps are performed in a firewall device (Talpade: 
[0020]: packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 
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Response to Arguments 

42. Applicant's arguments filed on 6/30/08 have been fully considered but they are not 
persuasive. 

Regarding applicant's remarks, applicant argues that the prior art of record does not 
explicitly disclose packet sequence value that is carried within the ICMP packet because there is 
no TCP header after the IP header and before the ICMP packet data. However, the claims 
disclose the packet carries sequence value without specifying the manner for which the sequence 
values are carried. Therefore, the examiner has relied on the combination of references to 
disclose including pertinent information in the packet to filter unauthorized packets. 

On the other hand, applicant argues that the prior art of record does not explicitly disclose 
updating a maximum transmission unit value associated with the TCP connection only if the 
packet sequence number is determined to be valid. However, the examiner has provided rationale 
in the above 35 U.S.C. 103 rejection to state that even although the particular method of allowing 
traffic flow is not specifically disclosed by the prior art of record (Talpade), Talpade discloses 
forwarding traffic flow when a field value is determined to be valid (Talpade: [0017] lines 28- 
30) and it would have been obvious to one having ordinary skill in the art to allow traffic flow by 
updating MTU value because allocating MTU for network traffic is well known in the art. 
Therefore, applicant's argument is traversed in light of above explanation. 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Shin-Hon Chen whose telephone number is (571) 272-3789. The 
examiner can normally be reached on Monday through Friday 8:30am to 5:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Shin-Hon Chen/ 
Examiner, Art Unit 243 1 
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